Reputation: 3585
How to confirm that a payment was successful when using payments gateways?
This is how payment gateways works as I understand.
We send necessary POST Request to Payment Gateway (2checkouts, Paypal, etc).
Payments handle by Payments Getaway.
Then Payment Getaway send us POST parameters . Assume that Payment Getaway return parameters to example.com/return.php page.
I know that they send POST parameter like status or something. We can take it to verify the Payments.
So what we do is, we write a codes in example.com/return.php page to verify the payment.
But what happen if any user/hacker send all POST parameters (I mean as Payment Gateway send) to example.com/return.php page.
How should I handle about this?
Upvotes: 0
Views: 1610
Answers (1)
Reputation: 26624
You are supposed to verify that you get your POST parameters from the source you expect it to come from. In the case of Paypal, let's use their Instant Payment Notification (or IPN) as an example.
Looking at their IPN docs, they suggest:
Check email address to make sure that this is not a spoof
However, more importantly, you should look at:
verify_sign = AtkOfCXbDm2hu0ZELryHFjY-Vb7PAUvS6nMXgysbElEn9v-1XcmSoGtf
Before you can trust the contents of the message, you must first verify that the message came from PayPal. To verify the message, you must send back the contents in the exact order they were received and precede it with the command _notify-validate, as follows:
This means that, when you receive an IPN to example.com/return.php page, which can be at any time and not in the normal flow of a HTTP request / response that your end-user will be triggering, you then send this information back to PayPal and get them to verify that what you received was both correct and from them.
PayPal will then send one single-word message, either VERIFIED, if the message is valid, or INVALID if the messages is not valid.
So in your hypothetical example of someone sending spoofed data to your endpoint, PayPal would verify it as invalid anyway, and then you can go about what you need to do to make sure it doesn't happen again (logging, IPTables etc).
Upvotes: 3
Related Questions
- Transaction Status API in PHP for Payment Gateway
- How do i know whether the client paypal transaction is successful or not on my success page
- When is a payment successful in Stripe?
- How do we know if payment is successful or not in Indian Ccavenue Payment gateway
- Payment gateway integration
- Make return URL for getting a response from bank/paymentgateway
- How do i get the status of Paypal when it is completed
- Confirming a processed payment with PayPal in PHP
- How to check if a paypal payment is completed or not?
- How to verify successful payment of paypal